Security Think Tank: Data controllers are essential in modern business environment

Why is it important to know where data flows, with whom it's shared and where it lives at rest, and what is the best way of achieving this?

Failing to map where data is held and how it flows in a company’s IT system is often cited as an information security weakness – and a key reason for a company falling foul of a compliance test.

Download this free guide

3 key web security guidelines from FS-ISAC

We address the ongoing issues regarding web security for businesses relying on an online presence. Download this e-guide and discover how to identify and address overlooked web security vulnerabilities as well as why you should look at the full security development lifecycle to reduce web threats.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Consider these questions:

Do you know what data your company holds, its value and its type (public/internal)?

Do you know who in your company owns or has control over each set of data?

Is the data transient or persistent and if persistent do you know the lifetime of that data?

Do you know why the company holds the data and what it does with the data?

Is the data necessary?

Do you know where all the data (by type) is stored or will be stored?

Do you know what processes each data type will be subject to?

Do you know who or what process can see or change the data and are they authorised to do so?

The answers to these questions form an important input to understanding the data flows in a company, which in turn informs the information security planning. The goal being systems that are secure by design with an information security management system (ISMS) that will keep the data safe, free from tampering and free from unauthorised access.

In turn, these are key ingredients to meeting compliance requirements be they contractual, legal or regulatory. The General Data Protection Regulation (GDPR) is an exemplar of where poor information security will directly lead to a state of non-compliance.

A key part of information security is controlling who or what can access data and for what purpose. A data owner or controller should decide who or what has access to a specific set of data and what can be done with the data (read only, read and update, process) and modern operating systems and file storage applications have such granularity by design.

Sadly, a general poor understanding of security by both the business and management of a company has meant in the past that information security has been thrown over the fence to IT. While IT can design and configure systems to be secure, they should not be put in a position to specify what security is required.

Read more about information management

Where this happens, it often leads to a flat file system with everyone having access to everything. This is a recipe to fail a “secure by design” compliance requirement (GDPR) and a recipe for disaster should ransomware get into the company.

It is within the business that data owners or data controllers should be formerly identified by role, and in that role, identify to IT who or what process can create/import or export/modify/read a set of data and what the data set’s lifetime is.

Companies should also create an information security role and for the larger company’s and public bodies a data protection officer (DPO) role will also need to be created to comply with GDPR.

These roles would be active with IT and the data owners or controllers in the design and maintenance of an ISMS and the ongoing management of data. These roles would also be involved with or responsible for the management of IT related compliance requirements including GDPR.

Given the rise in outsourcing of IT to the cloud, and the ability to create systems using a range of services bought in from a variety of cloud suppliers, these roles will become critical as the boundaries between systems becomes “grey” and the information security imperative of the IT supply chain becomes critical.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.